CertVerifyProcConstraintsTest: add validity tests

Bug: 1370748 Change-Id: I1e4437749f9c261541b4c8163e53eb877eb1c1c9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3999974 Reviewed-by: David Benjamin <davidben@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/main@{#1067912}
chromium · Nov 6, 2022 · 91e30a8 · 91e30a8
1 parent 524cd13
commit 91e30a8
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
@@ -4314,6 +4314,20 @@ class CertVerifyProcConstraintsTest : public CertVerifyProcInternalTest {
     return ERR_CERT_INVALID;
   }
 
+  int ExpectedRootExpiredError() {
+    if (VerifyProcTypeIsBuiltin() ||
+        verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
+      return OK;
+    }
+    return ERR_CERT_DATE_INVALID;
+  }
+
+  int ExpectedIntermediateExpiredError() {
+    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID)
+      return ERR_CERT_AUTHORITY_INVALID;
+    return ERR_CERT_DATE_INVALID;
+  }
+
   std::vector<std::unique_ptr<CertBuilder>> chain_;
 };
 
@@ -4410,6 +4424,34 @@ TEST_P(CertVerifyProcConstraintsTest, NameConstraintsMatchingIntermediate) {
   EXPECT_THAT(Verify(), IsOk());
 }
 
+TEST_P(CertVerifyProcConstraintsTest, ValidityExpiredRoot) {
+  chain_[3]->SetValidity(base::Time::Now() - base::Days(14),
+                         base::Time::Now() - base::Days(7));
+
+  EXPECT_THAT(Verify(), IsError(ExpectedRootExpiredError()));
+}
+
+TEST_P(CertVerifyProcConstraintsTest, ValidityNotYetValidRoot) {
+  chain_[3]->SetValidity(base::Time::Now() + base::Days(7),
+                         base::Time::Now() + base::Days(14));
+
+  EXPECT_THAT(Verify(), IsError(ExpectedRootExpiredError()));
+}
+
+TEST_P(CertVerifyProcConstraintsTest, ValidityExpiredIntermediate) {
+  chain_[2]->SetValidity(base::Time::Now() - base::Days(14),
+                         base::Time::Now() - base::Days(7));
+
+  EXPECT_THAT(Verify(), IsError(ExpectedIntermediateExpiredError()));
+}
+
+TEST_P(CertVerifyProcConstraintsTest, ValidityNotYetValidIntermediate) {
+  chain_[2]->SetValidity(base::Time::Now() + base::Days(7),
+                         base::Time::Now() + base::Days(14));
+
+  EXPECT_THAT(Verify(), IsError(ExpectedIntermediateExpiredError()));
+}
+
 TEST(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));